Hi all, basically, if have exactly this problem already described 
because there is no answer since 2009, I'll give it a try. The setup of
the 2 servers is also the same as in the other threadonly exception is,
that my boxes are behind a "master" firewallwhich I do not manage. I have
2 OpenBSD 6.0 servers that should just act as a load balancerfor SFTP
connections. We use DSR mode because huge files getdownloaded from the
SFTP servers and don't want the "load" topass completly through the
OpenBSD load balancers. Everything is working as long as I don't do a
failover to the backup system.In this situation, I see, that the "new"
carp master "resets" the connectionof the client. Immediatly opening a
new SFTP sessions then works asexpected through the "new" carp master.
This is my /etc/pf.conf (identical on both). Still testing.. # cat
carp_if = "vmx0"
sync_if = "vmx1"# already allow pfsync and carp protocols
pass quick on $sync_if proto pfsync keep state (no-sync)
pass on $carp_if proto carp keep state (no-sync)# allow relayd to
communicate with pf and set rules
anchor "relayd/*" And this is the relayd.conf log updates
prefork 5fx_vip = "VIP"table <fxhosts> {
}redirect FX-SFTP {
listen on $fx_vip port 22 interface vmx0
route to <fxhosts> check tcp interface vmx0
This is the "ruleset" (identical on both) after reloading pf # pfctl -a
'*' -s rules
pass quick on vmx1 proto pfsync all keep state (no-sync)
pass on vmx0 proto carp all keep state (no-sync)
anchor "relayd/*" all {
anchor "FX-SFTP" all {
pass in quick on vmx0 on rdomain 0 inet proto tcp from any to VIP port =
22 flags any keep state (sloppy, tcp.established 600) route-to
<FX-SFTP>@vmx0 round-robin sticky-address
} When the first connection is made, I see the state on thebackup carp
machine. But with slightly different content. This is on "master" all tcp
 [0 + 1]  [946261580 + 2]
 age 00:00:35, expires in 00:09:37, 16:0 pkts, 913:0 bytes, anchor 2,
rule 2, sloppy  id: 57fbd5520000a2b4 creatorid: d4cdd00a "expires" is 10
minutes (tcp.established 600) and I see the anchor and rulewhich
generated state This in on "backup" all tcp VIP:22 <- CLIENT:43334
 [0 + 1]  [946261580 + 2]
 age 00:00:32, expires in 23:59:41, 0:0 pkts, 0:0 bytes, sloppy
 id: 57fbd5520000a2b4 creatorid: d4cdd00a expires is 1 day (?) and
"backup" did not yet see any packes. Now, how can I get this to work, so
the sessions won't be terminatedin case of a failover. Every help will be
appreciated. Kind regards,Robert

Reply via email to